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(54) Secure metering vault having led output for recovery of postal funds 



(57) A secure metering vault for use with a host 
printing module via a secure communication link 
includes a secure output device such as a Bght emitting 
cfiode (LED) configured for outputting the avaflaHe 
postal funds stored in the secure metering module in 
response to a detected malfunction in the secure com- 
munication link The vault includes a processor that 
monitors the condition of the secure convrwication 
link, and that controls the sto r age and updating of the 
stored avaflabte postal funds in a nonvotatfle memory. If 
a failure is detected in the comrrunicalion fink, the proc- 



essor outputs to the LED the stored value of the availa- 
ble postal tunas based upon a prescribed format such 
as Morse code or some other blinking pattern that is 
equivalent to the postal funds remaining in the vault 
Use of the secure output device to output the stored 
avaflabte postal funds enables a user to recover the 
funds without tampering with the secure metering mod- 
ule, which may otherwise cause serf-destruction of the 
vault or deletion of the available postal funds from mem- 
ory. 
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Description 

This invention relates to secure modular postage 
printing systems, where a secure metering module 
stores available postal funds for a host printing module. 

Postage metering systems have been developed in 
a modular arrangement where a host printing module; 
also referred to as a mailing machine, includes a printer 
configured for printing irxScia that indicate the value of 
the postage being applied. The control signals associ- 
ated with printing the corresponding vxfoa are gener- 
ated by a secure metering module, also referred to as a 
vault, which stores the available postal funds for the 
value printing system. 

An important consideration in an electronic postal 
mailing system is that the postal funds within the secure 
metering module (i.e. the vault) are secure; where the 
host printing module prints postage indicia on a mafl 
piece, and where the accounting registers within the 
secure metering module accurately reflect the avalable 
postal funds relative to the printing of the postage ind- 
cta by the printing module. Postal authorities generally 
require the accounting information to be stored within 
the postage meter and to be held in a secure manner, 
such that any postal mailing system should include 
security features to prevent unauthorized and unac- 
counted for changes in the amounts of postal funds held 
in the meter. Postal authorities also require that meters 
be put in service and removed from service in strict 
compliance with postal requirements for re gistrati on 
and periodic inspection, for example every six months 
Hence, the security and inspection requirements by the 
postal authorities enables the postal authorities to keep 
reliable records on the usage of the meter, as wefl as to 
detect fraud. 

The security requirement tor the vauft has generally 
required the actual metering module to have a secure 
physical housing that physically protects the stored 
postal funds and associated encryption keys, such that 
postal and accounting information can be accessed to 
and from the vault only by a secure communication link 
between the vault and the external host printing modula 
The vault may also include a tampering detection device 
designed to detect tampering of the physical or elec- 
tronic integrity of the fault If tamperin g is detected by an 
unauthorized agency, the vault may self-destruct by 
deleting the encryption keys, or by deleting the available 
postal funds from the memory. 

The secure nature of the vault creates difficulties 
when attempting funds recovery, where a user attempts 
to read a value of the remaining funds stored in the vauft 
from a malfunctioning vauft TypicaRy, a user may 
attempt to cfisassemble the secure vault and determine 
the stored funds using electronic probes to read back 
electronic signals. However, a tampering detection 
device within the vault may consider the funds recovery 
attempt as a tampering attempt causing the tampering 
detection system to destroy the electronic memory. 



Hence, if a vault malfunctions, the stored available 
postal funds in the vault may be lost creating substan- 
tial expense and inconvenience for the user. 

There is a need for an arrangement for recovering 
5 funds from a secure metering module in a modular 
postal mailing system while maintaining the integrity of 
the secure metering module. 

There is also a need for an arrangement for recov- 
ering funds from a secure metering module of a modu- 
10 tar postal mailing system that provides user feedback 
including funds recovered without any interaction or 
interfacing by the user. 

These and other needs are attained by the present 
invention, where a secure metering module has a 
is secure output device configured for outputting the 
stored available postal finds from the secure metering 
module in response to a detected malfunction in a 
secure communication link. 

According to one aspect of the present invention, in 
2D a modular postal maifing system for the printing of indi- 
cia having a postal value, a secure metering module 
includes a nonvolatile memory configured for storing 
available postal funds, a communication port configured 
to establish a secure communication link between the 
25 secure metering module and an external host processor 
controlling printing of the indicia, a processor configured 
for updating the stored avaiable postal funds based on 
the printing of the indicia at the c orresponding postal 
value, the processor configured for detecting a malfunc- 
30 tfon in the secure communication link, and a secure out- 
put device configured for outputting the stored available 
postal funds from the secure metering module in 
response to the detected nrarfunctioa Use of the secure 
output device enables a user to recover the available 
36 postal funds without the necessity of any interaction 
with the secure metering module. Hence, the user may 
recover funds from the secure metering module without 
supplying any inputs to the secure metering module or 
performing any actions on the secure metering module 
40 that may affect the integrity of the secure rneteringmod- 
ule. 

Another aspect of the present invention relates to a 
method in a secure metering module for use in a modu- 
lar postal mailing system having a host processor con- 

4s trolling printing of incfida having a postal value and a 
secure metering module storing available postal funds 
and having a communication port configured for estab- 
lishing a secure communication link with the host proc- 
essor. The method of the present invention includes 

so determining an operating contftion of the secure meter- 
ing module; detecting a failure in the corrminication 
folk, and selectively outputting via a secure output 
device in the secure metering module at least one of a 
status indication of the determined operation condition 

55 and a funds indication of the stored avaBable postal 
funds based on the determined operating condition and 
the detection of the failure The selective output of sta- 
tus indication and funds incfcation via the secure output 
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devx^enaNesaus&todeteimnethe 
tion of the secure metering device during normal opera- 
tion- Moreover, the selective output by the secure output 
device enables a user to recognize a malfunction in the 
secure metering device, while at the same time perform 5 
funds recovery without tampering with the device. 

Additional objects, advantages and novel features 
of the invention will be set forth in part in the description 
which follows, and in part w» become apparent to those 
stifled in the art upon examination of the Mowing or to 
may be learned by practice of the invention The objects 
and advantages of the invention may be rea liz ed and 
attained by means of the instrumentaftiesandcorftxn^ 
tions particularly pointed out in the appended claims. 

Reference is made to the attached drawings, ts 
wherein elements having the same reference numeral 
designations represent like elements throughout and 
wherein: 

Figure 1 is a block rJagram of a modular postal 20 
mailing system having a secure metering module 
according to an emborJmertt of the present inven- 
tion. 

Figure 2 is a block rJagram illustrating the vault 
microprocessor system of Figure 1. 2s 
Figure 3 is a flow diagram of a method in the secure 
metering module for selectively outputting status 
indicia and funds inrJcia tor tautt recovery accrjrrjng 
to an emtxxfiment of the present invention, 

30 

Figure 1 is a block rJagram atustrating a modular 
postal mailing system 10 having the secure metering 
module of the present invention. The modular postal 
mailing system 10 may be configured as a Class II 
meter according to U.S. postal regulations. The modular as 
postal mailing system 10 includes a secure metering 
module 12 (he., a vault) that stores available postal 
funds, an external host processor 14 in communication 
with the vault 12 via a secure communi cati on link 16 
and that prints value inrJcia such as postage inrJcia 40 
based on the available postal funds stored in the vault 
12. The host 14, for example a personal computer, is 
configured for postage printing and includes a serial 
port interlace 24 for coupfing the secure metering mod- 
ule 12 to the host 14 via a secure two-way data comrnu- 45 
nication link 16 between the host 14 and the vault 12. 
The host 14 runs at least one software application for 
postage processing and controKng the printer associ- 
ated with the host 14. The vault 12 comprises a vault 
microprocessor system that stores the available postal 50 
funds, and that controls overall operations of the vault 
12. The vault microprocessor system 20 sends elec- 
tronic signals through a serial port 22 to the host 14 via 
the secure communication ink 16. 

Figure 2 is a block rJagram Uustrating in further ss 
detail an exemplary implementation of the secure 
metering module 12. The vault microprocessor system 
20 includes a nonvolatile RAM (NVRAM) 30 that stores 



avaflable postal funds information, a processor 32, a 
read only memory (ROM) 34. and a tamper detection 
circuit 36. The processor 32 is configured for updating 
the stored avaflable postal funds based on printing sta- 
tus messages received from the host 14 via the receive 
fine 16a The serial port 22, upon receiving the mes- 
sage, forwards the received encrypted message to the 
processor 32 for decryption and updating of the 
accounting information including the avaflable postal 
funds stored in the NVRAM 30. As recognized in the art, 
encryption and decryption keys associated with main- 
taining the security of the conrfriunication link 16 may be 
stored erther in the NVRAM 30 or the ROM 34. 

The processor 32 and the memory (including the 
NVRAM 30 and the ROM 34) perform all postage 
accounting functions, such as maintaining ascending 
and descending register vatoes. The processor system 
20 also may perform a variety of encryption functions, 
including generation of digital signatures for inclusion in 
postage indicia and for inclusion in data messages 
exchanged with a postal service data center during 
recharging of the available postal funds in the vault 1 2. 
Verification of authenticity of the secure metering mod- 
ule 12 according to ULSw postal regulations may include 
an exchange of signals between the host 14 and the 
secure metering module 12, where at least some of the 
signals are encrypted. 

In a postage printing operation, the user might use 
the keyboard of the host computer 1 4 to enter a desired 
postage amount The host computer supplies the post- 
age value to the secure metering module 12 via the 
secure communication link 16. The secure metering 
module generates a postage indicium in accord with the 
U.S. Postal Service specifications, and supplies the sig- 
nals representing the inrJctum to the host 14, to drive 
the printer and print the addition on a mail pieca 

The printed indicium includes certain human reada- 
ble information such as the date and the postage 
amount The indicium also includes a two4imensional 
bar code. The bar code contains trMhe-cJear informa- 
tion such as PSD irJentffication, postage value and vari- 
ous routing information. The bar code also includes a 
digital signature formed by encryption of certain data 
specified by the U&PS. The data used at the input to 
the encryption process for the digital signature includes 
service ID information, the ascending and descending 
register values, a special purpose field, the postage 
value, licensing zip code, the date and the amount of 
postage. 

As shown in Figure 2, the vault microprocessor sys- 
tem 20 also includes a tamper detection unit 36 config- 
ured to detect a tampering attempt on the secure 
metering module 1 2. For example, the temper detection 
unit 36 may include electrical or physical sensors con- 
figured to detect a breach of the rjhysical housing of the 
secure metering module 12, or unauthorized electrical 
activity on either the serial port 22 or elsewhere within 
the secure metering module 12. Upon detecting a tam- 
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pering attempt the tamper detection unrt 38 causes 
deletion of the avaflable postal funds in the nonvolatile 
memory 30, for example by sending a tampemg signal 
to the processor 32 which then deletes the available 
postal funds from the NVRAM 30. Alternatively, the 5 
tamper detection uret 36 may cfirectty delete the availa- 
ble postal funds from the NVRAM 30 in response to the 
detected tampering attempt Although the tamper 
detection unit 36 is disclosed as separate from the proc- 
essor 32. the tamper detection unit 36 may also be 10 
incorporated as part of the functionary of the proce s sor 
32. 

As described above, the security requirements of 
the secure metering module 12 creates drfhcurtieswhen 
attempting funds recovery, where a user attempts to is 
read a value of the remaining funds stored in the vauft 
after a communication failure in the secure communica- 
tion link 16. Hence, an alternative means for communi- 
cating the available postal funds stored in the secure 
metering module is necessary in the event a matfunc- so 
tkxi occurs in the secure communi ca tion ink 16. regard- 
less of whether the malfunction is in one of the serial 
ports 22 or 24, or within the receive line 16a or the Iransr 
mrt line 16b. 

According to the disclosed embocfemerrt, the secure 25 
metering module includes a secure output device 26 
configured for outputting the stored avaiable postal 
funds from the secure metering module 12 in response 
to a malfunction detected in the secure communication 
link 1a The term "secure output device* refers to an out- so 
put-only device that cannot be compromised by tamper- 
ing attempts. According to the disclosed ernbocfiment, 
the secure output device is implemented as a fcght emit- 
ting diode (LED) 26 that outputs a wireless signal as an 
optical signal having a prescribed format, described as 
below. Hence, the processor 32, upon detecting a mal- 
function in the secure corrmunication fink 16, generates 
error signals to the LED 26 representing the avaiable 
postal funds in response to the detect e d malfunction 
The LED 26 in response outputs visually-perceptible 40 
signals representing the stored available postal funds 
from the secure metering module 1 2 in response to the 
error signals from the processor 32. Arthougji the <fc- 
ctosed arrang ement describes the secure output device 
as an LED 26, an alternative secure oufout device may 46 
be implemented, for example a wireless transmitter 
such as an RF transmitter. 

Use of the LED 26 can also be combined wfth nor- 
mal operations to provide a user with visual feedback as 
to the normal operation of the vault 12, enabing a user so 
to distinguish between normal operation and error con- 
cfitions in the host processor 14 for troubleshooting pur- 
poses^aswellasrxovicfingfunfe 
on the secure communication fink 16. 

Figure 3 is a flow cfagram fllustratmg a method of ss 
outputting status and error information relating to the 
secure output device 26 to enable a user to determine 
the operating condition of the secure metering module 



12, as well as to perform funds recovery In the event of 
a failure in the communication link 16. The method 
begins in step 50, where the processor 32 is powered 
up and turns on the LED 26 in step 52 to indicate to a 
user that power is connected successfully to the secure 
metering module 12. The processor 32 wffl continue to 
maintain the LED in an active state while performing 
power up diagnostics stored in the ROM 34 in step 54. 
The LED 26 may output a prescribed pattern of status 
incficia based on driving signals from the processor 32 
during the power up diagnostics. For example, the LED 
26 may be driven at a reduced intensity, or alternatively 
the LED 26 may Wink according to a preserved pattern, 
for example, one putee per second with a 50% ON/OFF 
cfoty cycle, during performance of the system check in 
step 54. The diagnostics may include integrity check of 
the components of the vault for physical integrity and 
functional operabiSty. If the processor 32 determines in 
step 56 that the vault 1 2 passes a* the cfiagnostics, the 
processor 32 turns off the LED in step 58, indicating that 
the system check was successful. Assuming Diagnos- 
tics were satisfactory, the processor 32 then checks the 
communication fink 16 in step 60. As recognized in the 
art, the processor 32 may check the communication link 
16 by a prescribed protocol with the host processor 14 
between the respective serial ports 22 and 24. If the 
processor determines in step 60 that the secure com- 
munication link 16 is operating normally, then the proc- 
essor 32 enters a normal operation mode in step 62, 
where the processor may cause the LED 26 to blink a 
first and second pattern whenever a message is trans- 
mitted and received successfully by the secure meter- 
ing module 12 , respectively, to provide feedback of the 
communication to a human operator. 

As described above; the processor 32 checks in 
step 56 whether the power up diagnostics performed in 
step 54 are satisfactory. If in step 56 the processor 32 
determines that a portion of the vault 12 fads the diag- 
nostics, the processor 32 may cause the LED 26 to blink 
in step 64 according to a prescribed pattern corre- 
sponcfing to a Diagnostic failure, for example two pulses 
per second for thirty seconds. The processor 32 then 
checks in step 66 whether there is any communication 
on the secure communication link 16, for example by 
sending one message and waiting for a response from 
the host processor 14, although other communication 
protocol may be used, especially copending on whether 
the secure metering module 12 is configured as a mas- 
ter device or a slave device. 

If in step 66 the processor 32 determines that com- 
munications are possfote with the host processor 14, 
the processor 32 outputs a messagetothe host proces- 
sor in step 68 reporting the error condition through the 
communication channel 16. However, if no commurBca- 
tion is possible across the secure communication fink 
16, the processor 32 checks the step 70 if the stored 
values for the available postal funds are valid, using 
known error detection and encryption techniques. If in 
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step 70 the processor 32 determines thai the stored val- 
ues tor the available postal funds are invafid, the proces- 
sor 32 outputs in step 72 an operating condition error 
sicjiaJ to the LED 26, for example a Morse code or bank- 
ing pattern indicat in g a general feflure of the vault 12. 5 
However, rf in step 70 the processor 32 determines that 
the stored value for the avaBabte postal funds rs vafd, 
the processor 32 outputs a funds indication of the stored 
available postal funds to the LED 26, for example as a 
Morse code sequence, or any other recognizable bfnk- w 
ing pattern equivalent to the postal funds re m aining in 
the vault 12. 

Hence, the LED 26 can be used as a secure output 
device to provide status inrJcation of the determined 
operating condfoon of the vault 12. as well as a secure ts 
arrangement for recovering the stored available postal 
funds upon detecting a taflure in the cctTvnunication Bnk 
16. In case the vault receive fine 16a is operating and 
the transmit line 16b is inoperable; the processor 32 
may trigger the LED response according to a presented 20 
error detection scheme, for example if the vault r ece iv es 
a status message five times in a row from the host proc- 
essor 14, as opposed to receiving acJrowtedgement 
messages according to a presented corrmncation 
protocol. In the case that the receive ine 16a is broken, 2s 
the processor 32 may determine that a cornrmrication 
failure has occurred if the vault 1 2 detects no cornmunt- 
catton from the power up tor 10 seconds, where the fail- 
ure to detect any convrwracation is repeated over a 
prescrbed number of power up condition s. 30 

As descrfcedabeve, the detection of a faiu^ 
secure communication ink 16 depenfe on the commu- 
nication protocol between the secure metering module 
12 and the host processor 14. If the secure metering 
module 12 is configured as a stave device, where the x 
secure metering module 12 is not permfced to transmit 
unless instructed from the host processor 14, the proc- 
essor 32 determines a comnwrication failure upon 
determining the lack of any communication activity at 
power up for a prescribed interval, for example no mes- 40 
sage received for ten seconds, where the rarjtrvrty con- 
dition is repeated for five consecutive power upa 
Conversely, if the secure metering module initiates a 
cornmunication, the secure metering module 12 can 
detect a cornmunication immediately. 45 

As described above, the secure m et e ring module 
12 can assume a rxmrrwicat^ 
ures are observed over a predetermined number of con- 
secutive power ups. Since the p roces so r 32 can also 
track the number of consecutive hardware failures by so 
storing the Mure conditions in the nonvolatile memory 
30. 

While this invention has been descrtoed in connec- 
tion with what is presently considered to be the most 
practical and preferred embodiment ft is to be under- 56 
stood that the invention is not limited to the disclosed 
embodHTient but, on the contrary, is intended to cover 
various morjfications and equivalent arrangements 



included within the spirit and scope of the appended 
claims. 

Claims 

1. In modular postal mailing system for the printing of 
indicia having a postal value, a secure metering 
module comprising: 

a nonvdatBe memory configured for storing 
available postal funds; 

a <x)rrminication port configured to establish a 
secure comrnunication Bnk between the secure 
metering module and an external host proces- 
sor controlling printing of the inrJcia; 
a processor configured for updating the stored 
available postal funds based on the printing of 
the indicia at the corresponding postal value, 
the processor configured for detecting a mal- 
function in the secure comrrurtication fink; and 
a secure output device configured for output- 
ting the stored available postal funds from the 
secure metering module in response to the 
detected malfunction. 

2. The module of claim 1, wherein the secure output 
device outputs the postal funds information as a 
wireless signal having a preserved formal 

3w The module of claim 2, wherein the secure output 
device is a light emitting cfiode (LED) outputting the 
wireless signal as an optical signal, the processor 
outputting LED driver signals specifying the stored 
available postal funds accorrJng to the preserved 
format 

4. The module of claim 3, wherein the prescribed for- 
mat is Morse coda 

& The module of claim 3, further comprising a tamper 
detection unit configured to detect a tampering 
attempt on the secure metering module, the tamper 
detection unit causing deletion of the available 
postal funds from the nonvolatfle memory in 
response to the detected tampering attempt 

6. The module of claim 1, wherein the processor gen- 
erates status information signals specifying a status 
of the secure metering module, the secure output 
device outputting status indicia in response to the 
status information sigjiaJs. 

7. The module of claim 6, wherein the status indicia 
include at least one of a successful power connec- 
tion, a system check a successful message trans- 
mission to the external host processor via the 
cornmunication port, and a successful message 
reception from the external host processor via the 
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communication port 

a The module of claim 6, wherein the processor is 
configured to identity the detected malfunction on at 
least one of a transmit fine and a receive fine of the s 
communication link. 

9. The module of claim 1. wherein the processor 
detects the malfunction based on failure to receive 

a presented message from the external host proc- 10 
essor over a prescribed interval. 

10. The module of claim 9. wherein the prescribed 
interval corresponds to a prescrt>ed number of time 
intervals following respective power-up conditions, is 

11. The module of claim 9, wherein the secure output 
device is configured to output status indicia in 
response to successful tran sm is si on/reception of a 
message to/from the host processor. 20 

12. The module of cteim 1 wherein the processor ts fur- 
ther configured for deleting the nonvolatile memory 
in response to a detected tampering attempt, the 
processor generating error signals representing the 2s 
available postal funds in response to the detected 
malfunction or the detected tampering attempt; and 

a secure output device for outputting visuaty- 
perceptWe signals representing the stored 30 
available postal funds from the secure metering 
module in response to the error signals. 

13. The module of claim 12, wherein the processor is 
cortfigured to identify the detected malfunction on at as 
least one of a transmit fine and a receive fine of the 
corrvnurvcation fink, the processor simultaneously 
outputting a funds avaflabSty message specifying 
the stored available postal funds on the transmit 
fine and an output signal specifying the stored avail- 40 
able postal funds to the secure output device in 
response to the identification of the detected mal- 
function in the receive line. 

14. In a modular postal maiing system having a host 45 
processor controlling printing of indicia having a 
postal value and a secure metering module storing 
available postal funds and having a communication 
port configured for establishing a secure communi- 
cation Bnkwrth the host processor, a method in the so 
secure metering module comprising: 

determining an operating conrfbon of the 
secure metering module; 

detecting a failure in the communication fink; ss 
and 

selectively outputting via a secure output 
device in the secure metering module at least 



one of a status indication of the determined 
operation condition and a funds indication of 
the stored available postal funds based on the 
determined operating condition and the detec- 
tion of the faflure. 

15. The method of claim 14. wherein the selectively 
outputting step comprises outputting as a wireless 
signal in a prescribed format the stored available 
postal funds in response to the detected faiure in 
the communication link_ 

IE. The method of claim 15, wherein: 

the secure metering module includes a proces- 
sor and the secure output device is a Sght emit- 
ting diode (LED); 

the detecting step comprising detecting by the 
processor a failure to receive a prescribed 
message from the host processor within a pre- 
scribed interval; and 

the selectively outputting step comprises out- 
putting from the processor a driver signal corre- 
sponding to the stored avaftable postal funds, 
and generating by the LED the wireless signal 
in response to the driver signal. 
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